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Abstract 

We propose two optimal representations for the elements of trace zero subgroups of 
twisted Edwards curves. For both representations, we provide efficient compression and 
decompression algorithms. The efficiency of the algorithm is compared with the efficiency 
of similar algorithms on elliptic curves in Weierstrass form. 


Introduction 

Trace zero subgroups are subgroups of the groups of points of an elliptic curve over extension 
fields. They were first proposed for use in public key cryptography by Frey in m- A main 
advantage of trace zero subgroups is that they offer a better scalar multiplication performance 
than the whole group of points of an elliptic curve of approximately the same cardinality. This 
allows a fast arithmetic, which can speed up the calculations by 30% compared with elliptic 
curves groups (see e.g. m for the case of hyperelliptic curves, (3] and [8] for elliptic curves over 
fields of even characteristic). In addition, computing the cardinality of a trace zero subgroup 
is more efficient than for the group of points of an elliptic curve of approximately the same 
cardinality. Moreover, the DLP in a trace zero subgroup has the same complexity as the DLP 
in the group of F^-rational points of the curve, of which the trace zero subgroup is a proper 
subgroup. Hence, when we restrict to this subgroup, we gain a more efficient arithmetic 
without compromising the security. Finally, in the context of pairings trace zero subgroups 
of supersingular elliptic curves offer higher security than supersingular elliptic curves of the 
same bit-size, as shown in [15] . 

The problem of how to compress the elements of the trace zero subgroup is the analogue 
within elliptic (and hyperelliptic) curve cryptography of torus-based cryptography in finite 
fields. For elliptic and hyperelliptic curves this problem has been studied by many authors, 
see m, Ha, m m, and m- 

Edwards curves were first introduced by H.M. Edwards in [9] as a normal form for elliptic 
curves. They were proposed for use in elliptic curve cryptography by Bernstein and Lange 
in [4]. Twisted Edwards curves were introduced shortly after in [6]. They are relevant from 
a cryptographic point of view since the group operation can be computed very efficiently 
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and via strongly unified formulas, i.e. formulas that do not distinguish between addition and 
doubling. This makes them more resistant to side-channel attacks. We refer to 0, 0, and 0 
for a detailed discussion of the advantages of Edwards curves. 

In this paper, we provide two efficient representations for the elements of the trace zero 
subgroups of twisted Edwards curves. The first one follows ideas from m and it is based 
on Weil restriction of scalars and Semaev’s summation polynomials. The second one follows 
ideas from [12] and it makes use of rational functions on the curve. Some obstacles have to 
be overcome in adapting these ideas to Edwards curves, especially for adapting the method 
from [ 12] . 

Given a twisted Edwards curve defined over a finite field ¥ q of odd characteristic and 
a field extension of odd prime degree ¥ q C F g ™, we consider the trace zero subgroup T n of 
the group of F^n-rational points of the curve. We give two efficiently computable maps from 
T n to F”^ 1 , such that inverse images can also be efficiently computed. One of our maps 
identifies Frobenius conjugates, while the other identifies Frobenius conjugates and negatives 
of points. Since T n has order 0(q n ~ 1 ), our maps are optimal representations of T n modulo 
Frobenius equivalence. For both representations we provide efficient algorithms to calculate 
the image and the preimage of an element, that is, to compress and decompress points. We 
also compare with the corresponding algorithms for trace zero subgroups of elliptic curves in 
short Weierstrass form. 

The article is organized as follows: In Section 1 we give some preliminaries on twisted Ed¬ 
wards curves, finite fields, trace zero subgroups, and representations. In Section 2 we present 
our first optimal representation based on Weil restriction and summations polynomials, and 
give compression and decompression algorithms. We then make explicit computations for the 
cases n = 3 and n = 5, and compare execution times of our Magma implementation with 
those of the corresponding algorithms for elliptic curves in short Weierstrass form. In Sec¬ 
tion 3 we propose another representation based on rational functions, with the corresponding 
algorithms, computations, and efficiency comparison. 

1 Preliminaries and notations 

Let F q be a finite field of odd characteristic and let F g C F q n be a field extension of odd prime 
order. Choose a normal basis {a, a q ,..., ofl } of F g n over F g . If n\q— 1, let F g n = F,j[£]/(£ n — 
/i), where /i is not a n^-power in F ? , and choose the basis {1,£,... ,£ n_1 } of F g n over ¥ q . 
This choice is particularly suitable for computation, since it produces sparse equations. When 
writing explicit formulas, we always assume that we are in the latter situation. 

When counting the number of operations in our computations, we denote respectively 
by M, S, and I multiplications, squarings, and inversions in the field. We do not take into 
account additions and multiplications by constants. The timings for the implementation of 
our algorithms in Magma refer to version V2.20-7 of the software, running on a single 3 GHz 
core. 

1.1 Twisted Edwards curves 

Definition 1. A twisted Edwards curve over ¥ q is a plane curve of equation 

E a ,d : ax 2 + y 2 = 1 + dx 2 y 2 , 
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where a, d £ F g \ {0} and a T d. An Edwards curve is a twisted Edwards curve with a = 1. 

Twisted Edwards curves are curves of geometric genus one with two ordinary multiple 
points, namely the two points at infinity. Since E a)d is birationally equivalent to a smooth 
elliptic curve, one can define a group law on the set of points of E ad , called the twisted 
Edwards addition law. 


Definition 2. The sum of two points Pi = (x\,yi) and P 2 = (a?2,2/2) of F a ,d is defined as 


Pi + P 2 = + (x 2 ,y 2 ) 


{ x x y 2 + x 2 yi 2/12/2 ~ QX 1 X 2 
V1 + dxix 2 yiy 2 ’ 1 - dx x x 2 yiy 2 


We refer to @1 Section 3] and O Section 6] for a detailed discussion on the formulas and 
a proof of correctness. The point O = (0,1) £ E a)d is the neutral element of the addition, 
and we denote by —P the additive inverse of P. If P = (x,y), then —P = (—x,y). We let 
O' = (0, —1) £ E a> d, and denote by fli = [1,0, 0] and ^2 = [0,1, 0] the two points at infinity 
of E a4 . 

Edwards curves were introduced in [9] as a convenient normal form for elliptic curves. Over 
an algebraically closed field, every elliptic curve in Weierstrass form is birationally equivalent 
to an Edwards curve, and vice versa. This is however not the case over F g , where Edwards 
curves represent only a fraction of elliptic curves in Weierstrass form. In [BJ Theorem 3.2] 
it is shown that a twisted Edwards curve defined over is birationally equivalent over ¥ q 
to an elliptic curve in Montgomery form, and conversely, an elliptic curve in Montgomery 
form defined over F g is birationally equivalent over F 9 to a twisted Edwards curve. Moreover, 
the twisted Edwards addition law corresponds to the usual addition law on an elliptic curve 
in Weierstrass form via the birational isomorphism, as shown in [¥J Theorem 3.2]. Similarly 
to elliptic curves in Weierstrass form, the twisted Edwards addition law has a geometric 
interpretation. 


Proposition 3. ([21 Section 4]) Let P\,P 2 £ E a ^ d , and let C be the projective conic passing 
through Pi, P 2 , Q 1 , Ll 2 , and O'. Then the point P\ + P 2 is the symmetric with respect to the 
y-axis of the eighth point of intersection between E a ^ d and C. 


1.2 Trace zero subgroups 

Let E ad be a twisted Edwards curve defined over ¥ q . We denote by E a d (F q n ) the group 
of Fgn-rational points of E a ^, by P^ any point at infinity of E a ^, and by ip the Frobenius 
endomorphism on E ajd : 

<p : E a4 —*• E a d , (x,y) i-> ( x q ,y q ) , P^ P^. 

Definition 4. The trace zero subgroup T n of E a)d (F q n) is the kernel of the trace map 

Tr : E aid (¥ q n) —y E a , d (W q ) , P P + <p(P) + tp 2 (P) + • • • + ^(P). 

We can view Tn as the F g -rational points of an abelian variety of dimension n — 1 defined 
over Fq, called the trace zero variety. We refer to [T] for a construction and the basic properties 
of the trace zero variety. The following result is an easy consequence of [T] , Proposition 7.13. 
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Proposition 5. The sequence 


0 -* E a ^(F q ) -> E atd (¥ q u) ^—7 T n - > 0 

is exact. Therefore the DLPs in E a ^(F q n) and in T n have the same complexity. 

1.3 Representations 

Definition 6. Let G be a finite set and £ £ Z + . A representation of G of size £ is a map 

TZ : G —> F 2 , 

with the property that an element of F 2 has at most d inverse images, where d = 0(1). A 
representation is optimal if 

£= flo g2 |G|l+0(l). 

Given 7 £ G and x £ Im7£, we call compression and decompression the process of 
computing 7 * 1 ( 7 ) and 7*l -1 (x), respectively. 

Remark 7. Define an equivalence relation in G via g ~ h iff 7 Z(g) = TZ{h). Any representation 
7*1 of G of size £ induces an injective representation of G = G/ ~ of size £: 

TZ : G —Fg. 

Since log 2 |G| = log 2 |G| + 0(1), TZ is an optimal representation of G if and only if TZ is an 
optimal representation of G. Hence the definition of optimal representation is independent of 
the constant d. 

Remark 8. It is well known that F g has an optimal representation of size |dog 2 q\ . Therefore, 
if |Gj = Q(q m ), an optimal representation of G may be given via 

TZ:G^F™xF%, (1) 

where k = 0(1). 

In this paper we give two representations of T n with m = n — 1 and d = n or d = 2 n. 
They are optimal, since \T n \ = ©(g™ -1 ) by Proposition [5j 

2 An optimal representation using summation polynomials 

Let F q be a finite field of odd characteristic and let E at d be the twisted Edwards curve of 
equation 

2 1 2 1 . 1 2 2 

ax + y = 1 + dx y 

where a,d £ F 5 \{0} and a 7 ^ d. Following ideas from [11], in this section we use Weil restriction 
of scalars and Semaev’s summation polynomials to write an equation for the subgroup l~ n . 
Similarly to the case of elliptic curves in Weierstrass form, a point P = ( x,y ) £ E a ( i{F q n ) 
can be represented via y £ F g n. Using the curve equation, the value of x can be recovered 
up to sign. Hence, after choosing an F g -basis of F g n, each pair of points ±P £ E a ^iF q n) 
can be represented by the element (yo, • • •, y n - 1 ) F” corresponding to y € F g n under the 
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isomorphism F g n = F” induced by the chosen basis. Having an equation for T n allows us to 
drop one of the yfs and represent each pair ±P via n — 1 coordinates in ¥ q , thus providing 
an optimal representation for the elements of T n . In order to make computation of the 
compression and decompression maps more efficient, we modify this basic idea and use the 
elementary symmetric functions of y,y q ,... ,y q instead of the vector (y^, • • •, y n - 1 ) G F”. 

Summation polynomials were introduced by Sernaev in m for elliptic curves in Weier- 
strass form. Here we use them in the form for Edwards curves from |18| . 

Definition 9. The n-th summation polynomial is denoted by f n and defined recursively 
by 

h(zi, z-z, 2 : 3 ) = (- 21-22 — Z 1 — z 2 + ad~ l )zl + 2 (d - a)d~ 1 ziZ 2 Z 3 + adT x (z\ + z\ — 1 ) — zfz$, 

fn(z 1) ■ ■ ■ > Z n ) = res t(fn—k(zi , ■ ■ • , Z n —k—li t ), /fc+2(2 n _fc, ■ ■ ■ , Z n , t)) 

for all n > 4 and for all 1 < k < n — 3, where res t(fi, fj ) denotes the resultant of fi and fj 
with respect to t. 

The next theorem summarizes the properties of summation polynomials. 

Theorem 10 ( [16] Section 2 and m Section 2.3.1). Let n > 3, let f n € ¥ q \z\,... ,z n ] be 
the n-th summation polynomial. Denote by ¥ q C k a field extension, and by k its algebraic 
closure. Then: 

1 . f n is absolutely irreducible, symmetric, and has degree 2 n ~ 2 in each of the variables. 

2. (/3i,..., /3 n ) G k n is a root of f n if and only if there exist aq ,a n € k such that 
Pi = (cti, fii) € E a d (k) and Pi + ... + P n = O. 

By the previous theorem, if P = ( x,y) £ T n , then 

fn(y,y q , • • • ,y qn r ) = 0. (2) 

A partial converse and exceptions to the opposite implication are given in the next proposition. 

Proposition 11. ( [IT , Lemma 1 and Proposition 4]) Let E a d be a twisted Edwards curve and 
denote by E a ^[m\ its m-torsion points. We have: 

(1) T 3 = {(x,y) £ E a>d (¥ q3 ) | h{y,y q ,y q2 ) = 0}, 

(2) T 5 UE a 4 [3}(¥ q ) = {(x,y)£E a4 (¥ q5 ) \ f 5 (y,y q ,...,y q4 ) = 0}, 

(3) Tn u Ufcii Ea,d[n - 2fe](F q ) C {(x,y) £ E a>d ( ¥ q n) \ f n {y,y q , ...,y qn ) = 0} for n > 7. 

Proof. The proof proceeds as in Lemma 1 and Proposition 4 of cu, after observing that for 
any odd prime n one has E a)d { 2] D 7T. = {&}■ D 

Remark 12. Proposition [TT] raises the question of efficiently deciding, for each root y £ ¥ q ™ 
of equation ([2]), whether the corresponding points (Ex, y) £ E atd are elements of T n . However, 
this issue is easily solved in the two cases of major interest n = 3 and n = 5. In fact: 

• By Proposition [Til (1). (±x,y) £ T 3 if and only if x £ F g 3. 
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• By Proposition[TT| (2), (±x,y) € T if and only if x £ F g s and (±x,y) ^ F? a ,d[3](F ? )\{(D}. 
By storing the list C of the y-coordinates of the elements of E a ^[ 3](F g ) \ {O}, one can 
easily decide whether a point of E 0 ( i(¥ q s ) of coordinates (x, y) belongs to T n by checking 
that y 0 C. Notice that L consists of at most 4 elements of ¥ q . 

Using the above considerations as a starting point, we can give an optimal representation 
for the points of Tn with efficient compression and decompression algorithms. 

1. Denote by ei,...,e n the elementary symmetric functions in n variables. Represent 
(x, y) £ T n via n — 1 of the elementary symmetric functions evaluated at y, y q ,..., y q . We 
obtain an efficiently computable optimal representation 


K : 


Tn —► F -- 1 

0 ,y) 1 —> (ei(y,y q ,---,y qn ~ 1 ))i=L...,n~i- 


(3) 


2. Since the polynomial f n (zi, ■ ■ ■, z n ) is symmetric, we can write it uniquely as a poly¬ 
nomial g n (e 1 ,..., e n ) £ F 9 [ei,..., e n \. Therefore, the equation 

9Vi(*T) ■ ■ ■ ■ Cn) — 0 

describes trace zero points (with the exceptions seen in Proposition fill) via the equations 

e i = ei(yo, ■ ■ ■ j Dn— i)j • • • i e n = e n (yo, ■ ■ ■ > yn— 1 )) (4) 

where the polynomials e\,.... e n are obtained from the polynomials 

ei {y,y q ,---,y gri 1 ),---,e n (y,y q ,---,y qn x ) 

by Weil restriction of scalars with respect to the chosen basis of F g n over F 9 , and reducing 
modulo y q — y, for i £ {0,... , n — 1}. Notice that the reduction simplifies the equations by 
drastically reducing their degrees. Moreover, it does not alter their values when evaluated 
over Fg. 

3. For (ei,..., e n _i) £ TZ(T n ), we first solve g n {e 1 ,..., e„_i, t) = 0 for t. For any solution 
e n £ Fq, we solve system (j4]) to find (yo,... ,y n - 1 ) € F”, corresponding to y £ Fqn. From y 
we can recover x in the usual way (see also Remark fT2l) . 

Notice that y n (e 1 ,..., e n ,) is not linear in any of the variables for n > 3, hence in 3. we 
may find more than one value for e n . This corresponds to the fact that 1Z may identify more 
than just opposites and Frobenius conjugates. However this is a rare phenomenon, and for a 
generic point P £ T n -, T l (TZ(P)) consists only of ±P and their Frobenius conjugates. We 
come back to this discussion in Subsection 12.21 where we discuss this issue for n = 5. 

We now give the pseudocode of a compression and decompression algorithm for the ele¬ 
ments of T n - 
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Algorithm 1 (Compression). 


Input : P = (x,y) eT n 
Output : 7 Z(P) <G F™” 1 

1: Write y = y 0 a + ... + y n -ia q 

2: Compute ei = ei(y 0 ,... ,y n - 1 ) for i = 1,. .., n - 1. 

3: return (ei,e n _i) 


Algorithm 2 (Decompression). 


Input : (ei,... ,e n _i) € F" 1 
Output : n 1 (ei,... ,e n _i) c Tn 

1: Solve g n (e i,..., e n _i,t) = 0 for t in ¥ q . 

2: T i — list of solutions of g n (ei,, e n _i ,t) = 0 in ¥ q . 

3: for e n G T, find a solution in F”of the system 

ei = ei(yo, ■ ■ ■ ,Vn-i) 

< • if it exists. 

_ = 6n(?/0j • • • > Vn— l) 

n _^ 

4: Any time a solution (yo, •.., y n - 1 ) is found, compute y = y^a + • • • + y n -iofl 
5: Recover one of the corresponding ^-coordinates using the curve equation. 

6: end for 

7: if (x,y) G In then 

8: Add P = (±x, y) and all its Frobenius conjugates to the list L of output points. 

9: end if 
10: return L 


2.1 Explicit equations, complexity, and timings for n — 3 

In this subsection we give explicit equations for trace zero point compression and decompres¬ 
sion on twisted Edwards curves for n = 3. We also estimate the number of operations needed 
for the computations, present some timings obtained with Magma, and compare with the 
results from m for elliptic curves in short Weierstrass form. 

The symmetrized third summation polynomial for E a ( j is 

53 (ei,e 2 ,e 3 ) = ef - 1 + (d/a)(e| - e\) + (2d/a)eie 3 - 2e 2 + ((-2a + 2 d)/a)e 3 , (5) 
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where ei, e 2 and e 3 are the elementary symmetric polynomials in y,y q ,y q : 

ei = y + y q + y q2 

< e 2 = yi+l + y l +<? + yV+l 2 (6) 

e 3 = y 1+q+q \ 

The symmetrized third summation polynomial for an elliptic curve in short Weierstrass 
form is 

£ 3 ( 61 , 62 , 63 ) = e\ - 4eie 3 - 4Bei - 2 Ae 2 + A 2 . (7) 

Notice that, while G 3 is linear in ei and e 3 , g 3 is of degree 2 in each variable. In particular, 
none of ei,e 2 ,e 3 is determined uniquely by the other two as is the case of elliptic curves in 
Weierstrass form. However, applying the change of coordinates 

U = ei 

< t 2 = e 3 + e 2 (8) 

, i3 = e 3 — e 2 

to g 3 , we obtain the polynomial 

g 3 (ti,t 2 ,t 3 ) = t\ + (d/a)(t 2 t 3 + t\t 2 + t\t 3 ) + {(d/a) - 2 )t 2 + dt 3 - 1, (9) 

that is linear in both t 2 and t 3 . 

Applying Weil restriction of scalars to the combination of ([ 6 ]) and ([ 8 ]) we obtain 
( h = 3 y 0 

l t 2 = if/ - 3gy 0 yiy 2 + gyf + y?yl + 3 yl - 3gyiy 2 (10) 

{ t 3 = yl~ 3gy 0 yiy 2 + gy\ + g 2 y\ - 3 y\ + 3gy x y 2 

which express ti,t 2 ,t 3 as polynomials in j/o, 2 / 1 , 2 / 2 - 

Point Compression. For compression of a point P = (x,y) £ T 3 we use the first two 
coordinates from ([8]) and (flOl) . obtaining 

U(P) = (h,t 2 ) = (3y 0 , ?/o - 3gy 0 yiy 2 + gyf + g 2 yl + 3 yl - 3y,yiy 2 ). 

If we compute t 2 as (yo + 1)(?/§ — 3gy±y 2 ) + yy\ + y 2 y 2 + 2 y'l, the cost of computing 1Z(P) 
is 3S+4M in Fg. In the case of elliptic curves in short Weierstrass form, computing the 
representation of a point is less expensive, as it takes 1S+1M in F 9 or 1M in with the two 
methods presented in m Section 5]. 

Point Decompression. In order to decompress (ti,t 2 ) € Im77 we proceed as follows. 

1. Given (t\,t 2 ) € Im77, solve g 3 (ti,t 2l t 3 ) = 0 for t 3 . If t\ +t 2 + a = 0, then g 3 (ti,t 2 ,t 3 ) = 0 
for all t 3 £ F 9 . If t\ + 1 2 + a ^ 0, then 

f _ ((d/a) - 2 )t- 2 + (d/a)tit 2 + (t x + 1)(H - 1) 

(d/a)(t\ + t 2 + a) 


Hence t 3 can be computed with 3M+1I in F g . 





2. Given (ii, * 2 ? ^ 3)5 we solve system (flOl) for y 0 , yi, y 2 . Notice that, since the V s are 
obtained from the e*’s by a linear change of coordinates, all considerations from m apply to 
our situation. In particular, one can compute y from with at most 3S+3M+1I, 1 

square root and 2 cube roots in ¥ q . 

Summarizing, the complete decompression algorithm takes at most 3S+6M+2I, 1 square 
root, and 2 cube roots in F q . For elliptic curves in short Weierstrass form, decompression takes 
at most 3S+5M+2I, 1 square root, and 2 cube roots in F q or 4S+4M+2I, 1 square roots and 2 
cube roots in ¥ q , depending on the method used. We refer the interested reader to Ki Section 
5] for details on the complexity of the computation for curves in short Weierstrass form. 

Remark 13. Notice that one can also use (ti, ^ 3 ) as an optimal representation of (x,y) G T 3 , 
and then solve 53 for t 2 in order to recover y. This choice is analogous to the one we have 
made, and the computational cost of compression and decompression does not change. 

Remark 14. The symmetry of twisted Edwards curves makes the computation of point 
addition on these curves more efficient than on elliptic curves in short Weierstrass form. 
However, the same symmetry results in summation polynomials of higher degree and with a 
denser support. This explains our empirical observation that the summation polynomials in 
the elementary symmetric functions for elliptic curves in short Weierstrass form are sparser 
than those for twisted Edwards curves for n = 3,5, even though for both curves they have 
the same degree 2 n_2 . For n = 3, this behavior is apparent if one compares equations (J5J) and 
©■ Therefore, one should expect that compression and decompression for a representation 
based on summation polynomials for twisted Edwards curves are less efficient than for elliptic 
curves in short Weierstrass form. This is confirmed by our findings. 

The following examples and statistics have been implemented in Magma [7]. 

Example 15. Let q = 2 79 — 67 and y = 3. We choose random curves, defined and birationally 
equivalent over ¥ q : 

E a>d : 31468753957068040687814x 2 + y 2 = 1 + 192697821276638966498997®V 

and 

E : y 2 = x 3 + 292467848427659499478503z + 361361026736404004345421. 

We choose a random point of trace zero P' E E (F q 3 ), and let P be the corresponding point on 
E a ,d- For brevity, here we only write the x-coordinates of points of E and the y-coordinates 
of points of E a f f 

P' = 346560928146076959314753C 2 +456826539628535981034212^+344167470403026652826672, 

P = 208520713897518236215966^+451121944550219947368811^+68041089860429901306252. 

We represent the points of E using the compression coordinates (ti,t 2 ) from [11, Section 5]. 
Denote by 7 Z and 77/ the representation maps on E a j and E, respectively. We compute 

TZ'(P') = (344167470403026652826672,334324534997495805088214), 

ll(P) = (204123269581289703918756,98788782936076524413527). 
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We now apply the corresponding decompression algorithms to IZ'(P') and TZ(P). We obtain 

77 ' -1 (344167470403026652826672, 334324534997495805088214) = 

{346560928146076959314753£ 2 + 456826539628535981034212^ + 344167470403026652826672, 
164759498614507503187493£ 2 + 361520690988197751534381^ + 344167470403026652826672, 
93142483046730124850775£ 2 + 390578588997895442137449^ + 344167470403026652826672}, 
which are exactly the x-coordinate of P' and its Frobenius conjugates. Similarly 

-R~ l (204123269581289703918756, 98788782936076524413527) = 

{208520713897518236215966£ 2 + 451121944550219947368811^ + 68041089860429901306252, 
539321536961066855011167£ 2 + 237431391097642968386719^ + 68041089860429901306252, 
461083568756044083478909£ 2 + 520372483966766258950512^ + 68041089860429901306252}, 
which are exactly the y-coordinate of P and its Frobenius conjugates. 

We now give an estimate of the average time of compression and decompression for groups 
of different bit-size. We consider primes q\, q 2 , and q 3 such that 3 |qi — 1 for all i, of bit- 

length 96, 112, and 128, respectively. For each q^, we consider five pairs of birationally 

equivalent curves (E,E ai d) defined over ¥ qi , such that the order of T 3 is prime of bit-length 
respectively 192, 224 and 256. On each pair of curves we randomly choose 20 , 000 pairs 

of points (P', P ) of trace zero, as in Example [T5l For each pair of points, we compute 

TZ'(P , ),7Z(P),TZ , ^ 1 (JZ'(P')),TZ^ 1 (TZ(P)). For each computation, we consider the average time 
in milliseconds for each curve, and then the averages over the five curves. The average 
computation times are reported in the table below. 

Table 1. 


Bit-length of 75 

192 

224 

256 

Compression on E 

0.006 

0.005 

0.006 

Compression on E a ^ 

0.016 

0.017 

0.015 

Decompression on E 

0.81 

2.40 

1.20 

Decompression on E a c i 

0.88 

2.44 

1.17 


The following table contains the ratios between the average times for point compression 
and decompression on elliptic curves in short Weierstrass form and twisted Edwards curves. 

Table 2. 


Bit-length of 73 

192 

224 

256 

Comp on E / Comp on E a ^ 

0.375 

0.294 

0.400 

Dec on E / Dec on E a f i 

0.920 

0.984 

1.026 
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2.2 Explicit equations, complexity, and timings for n — 5 

In this subsection we treat in detail the case n = 5. We compute explicit equations for 
compression and decompression, give an estimate of the complexity of the computations in 
terms of the number of operations, and give some timings computed in Magma. We also 
compare with the results obtained in DU for elliptic curves in short Weierstrass form. 

The fifth Semaev polynomial for a twisted Edwards curve has degree 40, while for 
curves in short Weierstrass form it has degree 32. The first polynomial also contains many 
more terms than the second. This agrees with what we observed in Remark [14] for the case 
n = 3. The symmetrized fifth summation polynomial g 3 has degree 8 for both Weierstrass 
and Edwards curves. However, for Edwards curves g§ has degree 8 in each variable, while for 
elliptic curves in short Weierstrass form it has degree 6 in some of the variables. Because of 
these reasons, we expect that compression and decompression for a trace zero subgroup group 
coming from a twisted Edwards curve are less efficient than for one coming from a curve in 
short Weierstrass form. 

For fields such that 16 |q' — 1, we perform a linear change of coordinates on the Si s in order 
to obtain a polynomial g$, of degree strictly less than 8 in some variable. The polynomial 95 
is too big to be printed here. However, denoting by ( 55)8 the part of 95 which is homogeneous 
of degree 8 , we have: 

( 55 )s(ei,..., e 5 ) = e? + (d/a) 4 (e§ + e§) + ( d/af(e\ + e|). ( 11 ) 

Let G F g be a primitive 16-th roots of unity. Then we can factor t 8 + s 8 over ¥ q as 

t 8 + s 8 = (t — gis)(t + s)r 6 (t, s ). 

Therefore, dill) can be written in the form 

(55) 8 = e? + (d/a) 4 (e 2 - /iie 3 )(e 2 + gie 3 )p6{e 2 , e 3 ) + (d/a) 8 (e\ + ef). 

Hence, after performing the change of coordinates 

{ h = e 2 — /qe 3 
h = e 2 + me 3 
U = ei for z = 1,4,5 

we obtain a polynomial g 3 {t\,... ,t§) of degree 8 in ti,t 4 ,t 3 , and degree 7 in t 2 ,t 3 . 

Example 16. Let q = 2 10 — 3, g = 2. Consider the Edwards curve E \ t 486 of equation 
x 2 + y 2 = 1 + 6 x 2 y 2 . Let P € % be the point 

p = (u,v) = (951£ 4 + 338£ 3 + 246£ 2 + 934£ + 133, 650£ 4 + 927£ 3 + 301£ 2 + 171£ + 973). 

The compression of P is 7 Z(P) = (ei, e 2 , e 3 , e^) = ( 686 , 289,865,418). In order to decompress, 
we solve 

95 (ei, e 2 , e 3 , e 4 , t) = 95 ( 686 , 289,865,418, t) = 

71t 8 + 705t 7 + 1007t 6 + 970t 5 + 233t 4 + 1014t 3 + 356t 2 + 198t + 575 = 0, 
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which has a unique solution eg = 790 £ F g . In order to recover the value of y up to Frobenius 
conjugates, we find a root in ¥ q ?> of 

y 5 - e 4 y 4 + e 2 y 3 - e 3 y 2 + e 4 y - e 5 = y 5 + 335y 4 + 289y 3 + 156 y 2 + 418 y + 231. 

Notice that the five roots are Frobenius conjugates of each other. From one y £ F g 5 we can 
recompute x via the curve equation, hence recover one of the Frobenius conjugates of ±P. So 
the decompression algorithm returns TZ^ 1 (TZ(P)) = {±P, ±ip(P), ±ip 2 (P), ±c/? 3 (P), ±y? 4 (P)}. 

We now give an example that presents some indeterminacy in the decompression algorithm. 

Example 17. Let q = 2 10 — 3 and consider the Edwards curve 

£ 210,924 : 210x 2 +y 2 = 1 + 924x 2 y 2 


and the point 

P = (1020 £ 4 + 713£ 3 + 158£ 2 + 745£ + 515,891£ 4 + 557 £ 3 + 135£ 2 + 976£ + 62) <E %. 

The compressed representation of P is 7 Z(P) = (ei, e 2 , e 3 , e^) = (310,887,19,660). The de¬ 
compressing equation is 

55 (ei, e 2 , e 3 , e 4 , t) = 62f 8 + 502t 7 + 3881 6 + 294t 5 + 2 1 4 + 466t 3 + 723 1 2 + 55t + 388 = 0, 
which has solutions es = 428, eg = 835, eg = 550 € F g . By solving the equation 

y 5 — ei y A + e 2 y 3 - e 3 y 2 + e 4 y - e 5 = y 5 + 310y 4 + 887 y 3 + 19 y 2 + 660y + 593 = 0 
we recover the y-coordinate of P and all its Frobenius conjugates. By solving the equation 
y 5 — eiy 4 + e 2 y 3 - e 3 y 2 + e 4 y — e'g = y 5 + 310y 4 + 887y 3 + 19y 2 + 660y + 186 = 0 
we find roots in F g s, which do not correspond to points of trace zero. By solving the equation 
y 5 - e 4 y 4 + e 2 y 3 - e 3 y 2 + e 4 y - e" = y 5 + 310y 4 + 887y 3 + 19y 2 + 660y + 471 = 0 
we find Q £ T 5 which is not a Frobenius conjugate of P. Hence in this case 
77- 1 (77(P)) = {±P, • • •, ±<p\P),±Q, ..., ±<p\Q)}. 

Denote by T 5 / ~ the c^uotient of T 5 by the equivalence relation that identifies opposite 
points and Frobenius conjugates. The representation d3]) induces a representation 

n'T5/ ~ > f 4 . 

In the previous example we show that 7 Z' is not injective. Nevertheless, an easy heuristic 
argument shows that a generic (e 4 ,..., e 4 ) £ Irn Pi has exactly one inverse image. In order 
to support the heuristics, we tested 15'000 random points in the trace zero subgroup % of 
15 Edwards curves. The groups had prime cardinality and bit-length 192, 224, and 256. For 
any random point P we computed the cardinality of 7 Z' 1 (77 / (P)), and found that it is 1 for 
about 91% of the points, 2 for about 8.5% of the points, and 3 for about 0.5% of the points. 
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We also found a few points for which \TZ'~ l (JZ'{P))\ = 4, but the percentage was less than 
0.02%. Finally, we did not find any points for which 4 < \TZ'^ 1 (7Z' (P))\ < 8 . 

In order to test the efficiency of the compression and decompression algorithms for n = 5, 
we have implemented them in Magma [?]. We consider primes q\. q 2 , and q 3 of bit-length 48, 
56, and 64, respectively. We choose primes such that 5 |Qi — 1 for all i. For each q, t we consider 
five pairs of birationally equivalent curves (E,E a ^) defined over F qi , such that the order of 
75 is prime of bit-length 192, 224, and 256, respectively. The following table contains the 
average times for compression and decompression in milliseconds. Each average is computed 
on a set of 20’000 randomly chosen points on each of the five curves. 

Table 3. 


Bit-length of 7s 

192 

224 

256 

Compression on E 

0.057 

0.055 

0.060 

Compression on E a ^ 

0.049 

0.058 

0.053 

Decompression on E 

64.17 

104.31 

121.51 

Decompression on E a ^ 

63.66 

104.45 

121.42 


The following table contains the ratios between the average times for point compression 
and decompression on elliptic curves in short Weierstrass form and twisted Edwards curves. 

Table 4. 


Bit-length of |7i| 

192 

224 

256 

Comp on E / Comp on E a ^ 

1.163 

0.948 

1.132 

Dec on E / Dec on E a/ i 

1.008 

0.999 

1.001 


3 An optimal representation using rational functions 

Let E a ^ be a twisted Edwards curve defined over ¥ q . In this section, we propose another 
optimal representation for the trace zero subgroup T n C E a) d{¥ q n) using rational functions. 

In [12] the authors propose to represent an element P € T n via the coefficients of the 
rational function which corresponds to the principal divisor P + tp(P) + ... + </ 7 n_ 1 (P) — nO 
on the elliptic curve. Optimality of the representation depends on the fact that the rational 
function associated to this divisor has a special form, and can therefore be represented using 
n— 1 coefficients in F ? . If we consider a principal divisor of the form P+tp(P) + .. — 

nO on the twisted Edwards curve E a j, there are several questions that need to be answered. 
E.g., the rational function associated to this divisor is not a polynomial in general, so one 
needs to overcome some difficulties in order to successfully carry out the same strategy. 

We start with some preliminaries results on rational functions on a twisted Edwards curve. 
If h is a rational function on E a d, we denote by div(/i) the divisor of the homogeneous rational 
function associated to h on the projective closure of E a ^- Throughout the section we use (u , v) 
for the coordinates of the point and x, y for the variables of the rational functions, in order 
to avoid confusion. 
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Lemma 18. Let c £ k such that ad^ 1 = c?, where k = ¥ q or k = F g 2 depending on whether 
ad~ 1 is a quadratic residue in F g or not. Let R(x,y ) £ k(x,y) be a rational function over 
Ea,d- Then R can be written in the form 

n , ^ t \kM , ^? r i(y) + xr 2 (y) 

R{x,y ) = {y-c) {y + c) --, 

modulo E a d, where ri,r 2 ,r 3 £ k[y\, gcd{?’i, r 2 , r 3 } = 1, r 3 (±c) / 0, and k\, k 2 < 0. 

Proof. Using the relation x 2 = ^-dy^) ’ we can wr ^ e R{x,y) in the form 


R{x,y) 


si{y) + xs 2 (y) 
s 3 (y) + xs 4 (y)' 


where Si(y) £ k[y\ for 1 < i < 4. Multiplying and dividing by s 3 (y) — xs 4 (y), we obtain: 


R(x, y) 


ti(y) + xt 2 (y) 
*3 (V) 


where ti(y) € /c[y] for 1 < i < 3. Simplifying the fraction and factoring y — c and y + c as 
much as possible from the denominator, we obtain the thesis. □ 


Lemma 19. In the setting of Lemma \18l assume that R has poles at most at the points at 
infinity Ui and U 2 . Then 

R(x,y) = (y - c) kl (y + cf 2 (q 4 (y) + xq 2 {y)), 


modulo E a>( i, where q\{y), 92 ( 2 /) € k[y\, qt{Ec) / 0 for i = 1,2, and k 4 , k 2 < 0. 

Proof. By Lemma [18] we can write 

R (x , y) = ( y-^ {v + ^nm^. 

Since (y — c) kl = 0 and (y + c) k2 = 0 have no affine zeroes on E a ^, R has poles at most at 
the points at infinity if and only if the order of vanishing of r 3 on E a d at each affine point is 
less than or equal to the order of vanishing of r 4 + xr 2 on E at d at the same point. 

Let P = (it, v) be a point such that r 3 (u) = 0. Write r 3 in the form r 3 (y) = (y — v) m t 3 (y), 
where t 3 (v) 7 ^ 0 and m > 0. The order of vanishing of r 3 on E a ( ] at P is m if u 7 ^ 0, and 2m if 
it = 0. In fact, the only points in which E a j has a horizontal tangent line are O and O’. The 
same holds for the order of vanishing of r 3 at —P. From ri(u) + ur 2 (y) = r 4 (y) — ur 2 (v ) = 0 
we obtain that ri(u) = ur 2 (v ) = 0. Therefore, since gcdjri,r 2 , r 3 } = 1, we have r 2 ( v) / 0 
and it = 0. The order of vanishing of r 4 + xr 2 on E a d at P is 1, since P is a smooth point 
and the tangent line at P to the curve of equation ri(y) + xr 2 (y) is not horizontal. But the 
order of vanishing of r 3 on E a _d at P is bigger than m, which yields a contradiction. □ 

In the introduction of this section, we hinted at the difficulty that if P £ P n is a point of 
trace zero on a twisted Edwards curve E a ^ , the rational function associated to the principal 
divisor P + <p(P) + ... + <^ n ” 1 (P) — nO is not in general a polynomial. Lemma [T9] offers a 
solution to this problem: considering a modified principal divisor, whose associated rational 
function is a polynomial. 
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Theorem 20. Let P QjC i be a twisted Edwards curve defined over F g and let P G T n C E a ^{ F 9 «). 
Then there exists a polynomial qp(x,y) = qi(y) + xq 2 (y) G F q [x,y\, with qi{y),q 2 (y) G F g [y], 
such that 

1. div(qp) = P + <p(P) + ... + (p^iP) + O' - 2fii - (n - l)Sl 2 . 

2. max{deg(gi),deg(g 2 )} = n j 1 - 

3. qi(y) = (1 + y)qi(y), where qi G F,[y] and deg(gi) < 

4- q 2 is not the zero polynomial. 

Proof. 1. The point P = (it, v) has trace zero, hence P + tp(P) + ■ ■ ■ + </? n_1 (P) = O. Then 
there exists a rational function / on E a ( i defined over F g such that 

div(/) = P + <p(P) + ... + <p n ~\P) - nO. 

Hi - 1 

The polynomial H(x,y) = x{\ — y)^~ £ F g [a;,y] corresponds to the divisor 

di v(H) = nO + O' — 2Ll\ — (n — 1)0 2 - 


Therefore 

div(/P) = P + (p(P) + ... + cp n -\P) + 0'~ 2fii - (n - l)fi 2 . 

By Lemma 1191 we can write 

fH = (y-c) kl (y + c) k2 (qi(y)+xq 2 (y)), 

where q\(y), q 2 (y) are polynomials, k\,k 2 < 0, and ad = c 2 . We now prove that k\ = k 2 = 0 
i.e. fH = qp , from which we get part 1. For each 1 < i < n, let P,; = <^* _1 (P). For each 
1 < i < n — 2, let fa be the conic with 

div(0j) = (Pi + ... + Pi -1 + Pi) + Pj+i + (—(Pi + ... + Pi + Pi+i)) + O' — 20i — 2fl 2 . 

Notice that (pi exists by [21 Theorem 1 and Theorem 2], and it is unique up to multiplication 
by a constant. For each 1 < i < n — 3, let hi be the horizontal line through the point 
Pi + • • • + Pi+i G Pa,d- Then 

div(/ij) = (Pi + ... + Pi+i) + (—(Pi + ■ ■ ■ + P?+i)) — 2Ll 2 . 


Since div(x) = 0 + 0' — 2fli, div(l —y) = 2 O — 2Q 2 , and / has no zeroes or poles at infinity, 
we have the equality of rational functions: 

, _ _ 4>l4>2 ■ ■ ■ 4*11—2 _ 

X n ~ 2 (1 - y)hih 2 ■ ■ ■ h n - 3 ’ 

up to multiplication by a nonzero constant. Therefore 


fH 


n—3 

4 > l4 > 2 • • • </>n— 2(1 - y)~ 
h\h 2 •• • h n - 3 x n ~ 3 


(a-dy 2 )^ 

, . . . \ tc .— 3 

h(y){l + y) 2 


n —2 


n* 


( 12 ) 
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modulo the curve equation, where h(y) = n"=i 3 K and deg (h) = n — 3. For each 1 < * < n — 2, 
4 >i is of the form pi = Bi(y)x + Ai(y), where Pj(y) and Ai(y ) are polynomials in y of degree 
at most 1, by [2, Theorem 1]. Hence 

n— 2 

n<t>i = H n _ 2 (y)x n ~ 2 + H n - 3 (y)x n ~ 3 + ... + Hx{y)x + H 0 {y), 

2=1 

where each idj(y) is a polynomial in y of degree at most n — 2. Then, reducing modulo E a ^ 
we obtain 

n— 2 

(a - dy 2 ) n 2 1 (pi(x,y) = Ri{y) + xR 2 (y), 

2=1 

where each Ri{y) is a polynomial of deg (Rp < max{deg(iL,)} + n — 3 < 2n — 5. The de¬ 
nominator of (fT2l) divides both R±(y) and P 2 (y) by Lemma [T9l Hence, letting Ri(y) = 

n — 3 

Qi{y)h(y)(l + y) -5 "" for i = 1,2, we have that fH = qp. 

2. Using the notation of part 1, we have 

deg(gj) = deg(-Rj) - deg(l + y)^ - deg (h) < 2n - 5 - ^ 2 ^ - (n - 3) = ^ (13) 

for i = 1,2. Moreover, by part 1 

div(y_ P ) = (-P) + ... + ^(-P) + O' - 2LL - (n - 1)H 2 , 
and modulo E a ^ 

1 — y 2 

qp( x , y)q~p( x , y) = qj(y) -r “2 ^ 2 ( 2 /)- 

a — ay^ 

Since div(a — dy 2 ) = 4Hi — 4fl 2 , the polynomial Rp(y) = (a — dy 2 )qf(y) — (1 — y 2 )q 2 (y) has 

div(Rp) = (±P) + (±<p(P)) + • • • + (±(p n ~\P)) + 2 O' - 2 (n + l)fi 2 . 

Hence (1 + y) n”^ 1 w 9 *|Pp(y), therefore 

n + 1 < deg(Pp(y)) < 2 + 2max{deg(yi), deg(y 2 )} (14) 

and part 2 follows directly from (1131) and (1141) . We have also obtained that Rp is a polynomial 
of degree exactly n + 1 with coefficients in F g and roots —1, v q \ for 0 < i < n — 1: we will 
need this result in the sequel. 

3. Since qp vanishes at O' = (0, —1), then q\ is of the form 

<n{y) = (1 + y)qi(y), 


where q\ £ F g [y] and deg(^i) < 

4. If q -2 was the zero polynomial, then qp = q\(y) would vanish on O' with multiplicity at 
least 2, contradicting part 1. 

□ 
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Computation of qp. In the proof of the previous theorem we have seen that one can compute 
the polynomial qp as 


QP 


\ n ~3 

0102 • • • <Pn- 2(1 ~ VI 2 
hih -2 ■ ■ ■ h n - 3 x n ~ 3 


(15) 


where for each 1 < * < n, Pi = (£ i_1 (P), for each 1 < i < n — 2, 0j is the conic through 
(Pi + ... + Pi-i + Pi), Pip 1 , O', 20i and 2112) for each 1 < i < n — 3, hi is the horizontal line 
through Pi + • • • + Pi + 1 £ P a ,d- Notice that we can easily calculate 0j for each i, employing 
the formulas given in [2} Theorem 1 and Theorem 2]. 

We now discuss how to use the polynomial qp to represent P via (n — 1) elements of F g 
plus a bit. As a consequence of Theorem 1201 qp has the form 


Qp(x,y) = (1 + y) (an^y 2 H-baiy + a 0 )+x 


bn -1 V' 
2 


i-l 

2 + ' 


+ b x y + 6 0 


where ai,bj £ ¥ q for all i,j, and bn^i £ {0,1}. We have therefore obtained an optimal 
representation for the elements of T n \ 


P ■ T n 
P 


Fg -1 X F 2 

CLQ , . . . , Ci n —3 , ^0, • • • ) b n — 1 


We now give the complete algorithm for point compression. 
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Algorithm 3 (Compression). 


Input : P £ T n 

Output : P(P) £ F|) —1 x F 2 

1: Compute qp{x,y ) = qi(y) + xq 2 (y) using (fl2ll and reducing modulo E a ^. 

TL — 1 

2: Compute 0i (y) = qi(y)/{l + y) = an^sy~ H-h a x y + a 0 . 

2 

71 — 1 

3: Q 2 {y) = bn = iy~ H- Vbiy + bo. 

2 

4: P(P) i — (do , • • ■ , CL n —3 , &0 ) • • • ) b n— 1 ) . 

2 2 

5: return P(P). 


Correctness of the compression algorithm is a direct consequence of our previous results. 

Given an n-tuple (aq,..., a n -i) b) £ F” -1 x F 2 such that (oq,..., a n _i, b) = P(P) for 
some P £ T n , we want to compute the decompression P -1 (aq,..., a n -i,b). We start with 
some preliminary results. The next lemma guarantees that the x-coordinate of P can be 
computed from its y-coordinate and the polynomial qp. 

Lemma 21. Let P = (u,v) £ T n , let qp(x,y) = q\(y) + xg 2 (y) £ F q [x,y\ be the polynomial 
with div(qp) = P + ip(P ) + ... + ip n ^ 1 (P) + O' — 2Ll\ — (n — l)fl 2 . Then: g 2 (u) = 0 if and 
only if P = O. 
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Proof. If q 2 (v) = 0, then qi(v) = 0, hence qp(—u,v) = 0. Since the affine points of the 
curve on which qp vanishes are exactly O' and f l (P) for 0<i<n — lby Theorem 1201 
and O' 0 T n , then —P = tp l (P ) for some i. If i = 0, we have —P = P, hence P = O. If 
i / 0, then (—u,v) = ( u q \v qt ) for some i £ {1,... , n — 1}. Then d £ F ? i fl = ¥ q and 
u q2 ' = u £ ¥ q 2 i H F g n = F g . Hence P € E a ^{¥ q ) and — P = f l (P) = P, from which P = O. 

Tt — 1 

Conversely, if P = O then qp(x,y ) = x(l — y)^~ and 92 ( 1 ) = 0. □ 

Given qp(x, y ), we can compute a polynomial Qp(y) whose roots are exactly the Frobenius 
conjugates of the y-coordinate of P. This will be used in our decompression algorithm. 

Proposition 22. Let P = (u,v) £ T n , let qp{x,y) = (1 + y)qi{y) + xq 2 (y) £ F ? [x,y] be the 
polynomial with div(qp) = P + <p(P) + ... + ip n ~ 1 (P ) + O' — 2Hi — (n — l)!^. Define 

Qp{y) = (a - dy 2 )( 1 + y)q\ 2 {y) + (y - 1 )ql{y)- 

n _ \ 

Then Qp{y ) £ F g [y], degQp = n, and its roots are v, v q ,..., v q 

Proof Let R P = (a - dy 2 )q\{y) - (1 - y 2 )q 2 {y) = (1 + y)[{a - dy 2 )qi{y) - (1 - y)q 2 (y)\- Then 
Qp(y) = (1 + y) -1 • Rp(y), and the claim follows by Theorem [20l □ 

We are now ready to give the decompression algorithm. 


Algorithm 4 (Decompression). 


Input : (ai,... b) £ F” 1 X F 2 

Output : P = (u,v) £ T n with TZ(P) = {u\ ,..., a n _i , b ) 

1 : 91 (y) <r- a^iy 2 H- 1 - a 2 y + a x . 

2 

re —1 re-3 

2: Q2{y)-^by 2 + cin-iy 2 -|-h g n + 3 V + otn+i. 

3: Qp(y) <-{a- dy 2 ) ■ (1 + y) • q\ (y) + (y - 1) • q%(y). 

4: v •£- one root of Qp(y). 

5: if v = 1 then u <— 0 else u < - < ?i('^)(^+ 1 ) enc jjf 

92 (v) 

6: return (u, v). 


Remark 23. Let P £ T n be a point with 7 Z(P) = (ai,..., a„_i, b). By Theorem [20l the 
Frobenius conjugates of P are the only other points of P n with the same representation. 
Correctness of the first four lines of the algorithm follows from Proposition [22] and correctness 
of line 5 follows from Lemma Ell Hence the given algorithm correctly recovers the point P, 
up to Frobenius conjugates. 

3.1 Explicit equations, complexity, and timings for n — 3 

In this subsection we give explicit equations and perform some computations for n = 3. We 
estimate the number of operations needed for the compression and decompression, and present 
some timings obtained with Magma. We also make comparisons with trace zero subgroups of 


18 







elliptic curves in short Weierstrass form treated in 1121 . 


Point Compression. Let P = (u,v) G T 3 . By Theorem 1201 we may write 
qp{x,y) = + y) + xq 2 (y) = a 0 (l + y) + x(foy + b 0 ), 

where a 0 , &o £ F g , b\ G {0,1}. 

If P 0 E a ,d(^ q ), let t = Notice that « / 0, since u = 0 implies P = O, hence 

P G £ a ,d(F,). 


1. If t q — t / 0, by Theorem 1 of [2J 


^(P) = (a 0 ,b 0 ,6i) = - 


+ _ : 


t.1 -1 


, -a 0 t -v,l 


Computing t from u and v takes 1M+1I in F g 3 . Once we have t, the situation is analogous 
to the case of elliptic curves in short Weierstrass form. Hence we refer to m Section 5.1] for 
a detailed discussion of how to efficiently compute 'JZ(P). In particular, it is shown that one 
can compute ao and bo with 2S+6M +11 in ¥ q . Summarizing, point compression in this case 
takes 1M+1I in F g 3 and 2S+6M +11 in F g . Due to the calculation of t, it is more expensive 
than that for elliptic curves in short Weierstrass form. 


2. If t q — t = 0, then qp is the line passing through P and O' by [2, Theorem 1], Hence 

K(P) = {-t~ 1 ,l, 0 ). (17) 

Since O' £ T 3 , then t 7 ^ 0. In this case point compression requires only 1M + II in F g 3 . 

If P G E Ch( j(¥q). then the computation takes place in ¥ q instead of F g 3 , hence we expect 
the complexity to be lower. We carry on a precise operation count, as in the previous case. 


3. If dv?v — 1 7 ^ 0, by [2J Theorem 1] 


n(p) = 


u( \ — v) v — au 2 


1 


du 2 v — 1 du 2 v — 1 ' 

Therefore, point compression takes 1S+4M+1I in ¥ q . 

4. If du 2 v — 1 = 0, then the situation is analogous to 2. and TZ(P) is given by (fTD) . 
Hence point compression requires 1M + II in ¥ q . 


Since 1. is the generic case, the expected complexity of point compression is 1M+1I in 
F g 3 and 2S+6M +11 in F g . 

Point Decompression. Let («i, « 2 ; b) G F g x F 2 and P = (u,v) G 7^ such that 7Z(P) = 
(aq, a 2 ,b). In order to recover P from 1Z(P), we want to find the roots of 

Q P (y) = (b — da\)y 3 + (— da\ + 2a 2 b — b)y 2 + (aaf — 2a 2 b + a 2 )y + {aa\ — a 2 )- 
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They are the solutions system 

y + y q + y q2 = c(da{ - 2 a- 2 b + b ) 

< y q+l + y q2+1 + y q2+q = c(aa 2 — 2a 2 b + a|) (18) 

yi+q+g 2 = c{—aa\ + a|) 

where c = (b — daf) -1 . Notice that (b — da\) / 0, since Qp has degree 3 by Proposition 1221 

Computing the constant terms of (1151) takes 2S+3M+17 in ¥ q . Computing a solution of 
the system takes at most 3S+3M+1I, one square root and two cube roots in ¥ q , as shown 
in m Finally, computing u from v requires 2M+1I in F g 3. Summarizing, for n = 3 point 
decompression takes at most 2M+1I in F g 3 and 5S+6M+2I, one square root and two cube 
roots in F g . It is more expensive than that for elliptic curves in short Weierstrass form, which 
takes at most 1M in F g 3 and 5S+4M+1J, one square root and two cube roots in F g . 

We now give an example and some statistics implemented in Magma. We follow the same 
setup as in Example fl5l and compare with the method for elliptic curves in short Weierstrass 
form proposed in [12]. 

Example 24. Let q = 2' 9 — 67 and /r = 3. We choose random, birationally equivalent curves 
defined over F g : 

E a4 : 31468753957068040687814x 2 + y 2 = 1 + 192697821276638966498997xV 

and 

E : y 2 = x 3 + 292467848427659499478503x + 361361026736404004345421. 

We choose a random point P' G E(F g 3) of trace zero, and let P be the corresponding point 
on E a ^. For brevity, we only write the x-coordinates of points of E and the y-coordinates of 
points of E a ,d.\ 

P' = 346560928146076959314753£ 2 +456826539628535981034212^+344167470403026652826672, 

P = 208520713897518236215966£ 2 +451121944550219947368811£+68041089860429901306252. 
We denote by 1Z and 1Z' the representation maps on E a d and E, respectively. We compute: 

TZ'(P') = (70,71) = (48823870679406912678832,283451751560764957720302), 

7 Z(P) = (cii, 6 0 > b±) = (313084342552232820027816,535814703179324297074161,1). 
Applying the decompression algorithms to TZ'(P') and 7Z(P), we obtain 

TZ!~ X (48823870679406912678832, 283451751560764957720302) = 

{346560928146076959314753£ 2 + 456826539628535981034212^ + 344167470403026652826672, 
164759498614507503187493£ 2 + 361520690988197751534381^ + 344167470403026652826672, 
93142483046730124850775£ 2 + 390578588997895442137449^ + 344167470403026652826672}, 
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which are the ^-coordinates of P' and its Frobenius conjugates. Similarly 

7?.- 1 (313084342552232820027816, 535814703179324297074161,1) = 

{208520713897518236215966^ + 451121944550219947368811^ + 68041089860429901306252, 

539321536961066855011167£ 2 + 237431391097642968386719^ + 68041089860429901306252, 

461083568756044083478909£ 2 + 520372483966766258950512^ + 68041089860429901306252}, 

which are the y-coordinates of P and its Frobenius conjugates. 

We now give an estimate of the average time of compression and decompression for groups 
of different bit-size. We consider primes qi, q 2 , and q 3 such that 3 |qi — 1 for all i, of bit-length 
96, 112, and 128, respectively. For each qi , we consider five pairs of birationally equivalent 
curves (E,E a ^) defined over F gi , such that the order of 75 is prime of bit-length respectively 
192, 224 and 256. On each pair of curves we randomly choose 20 , 000 pairs of points (7 >/ , P ) of 
trace zero which correspond to each other via the birational isomorphism between the curves. 
For each pair of points, we compute TZ'(P'),TZ(P),TZ'^ 1 (TZ'(P')),TZ^ 1 (7l(P)). For each com¬ 
putation, we consider the average time in milliseconds for each curve, and then the averages 
over the five curves. The average computation times are reported in the table below. 

Table 5. 


Bit-length of 751 

192 

224 

256 

Compression on E 

0.015 

0.013 

0.011 

Compression on E a ^ 

0.034 

0.037 

0.035 

Decompression on E 

0.09 

0.13 

0.15 

Decompression on E a ^ 

0.14 

0.19 

0.20 


The next table contains the ratios of the average times for point compression and decom¬ 
pression on elliptic curves in short Weierstrass form and twisted Edwards curves. 

Table 6. 


Bit-length of 751 

192 

224 

256 

Comp on E / Comp on E a ^ 

0.441 

0.351 

0.314 

Dec on E / Dec on E a/ i 

0.643 

0.684 

0.750 


3.2 Explicit equations, complexity, and timings for n — 5 

In this subsection we give explicit equations and perform computations for n = 5. We estimate 
the number of operations needed for the computations and present some timings obtained with 
Magma. We also make comparisons with the method proposed in m for elliptic curves in 
short Weierstrass form. 

Point Compression. Let P £ 75- By Theorem 1201 qp is of the form 

qp(x,y) = (1 + y)qi(y) + xq 2 (y) = (1 + y)(aiy + a 0 ) + x{b 2 y 2 + b x y + b 0 ) 
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where ao, ai, bo, b\ £ F g , and 6 2 £ F 2 . By (??) 

(1 + y)hih 2 qp = 0i02<fo(a - dy 2 ) 

modulo E ay d and up to a nonzero constant factor. We consider the generic case, where b 2 = 1 
and 4 >i is of the form 

4>i(x, y) = pi(y + 1) + x(y + q{) 

with pi , q % £ F ? 5, and i £ {1,2,3}. Denote by k\ and k 2 the y-coordinates of P\ + P 2 and 
P\ + P 2 + P3, respectively. We have 

K(P) = (a 0 ,a 1,60,61,1), 

where 

ai = k ■ (d(pip 2 p 3 ) + (pi + p 2 + p 3 )), 

ao = k ■ ( 2 >d(pip 2 p 3 ) + (piq 2 + piq 3 + q\p 2 + qip 3 + p- 2 q 3 + q 2 p 3 ) + (p\ + p 2 +p 3 ))+ 

ai • (ki +h 2 - 2 ), 

bi = k ■ (d(pip 2 93 + PiP 3 q 2 + P 2 P 3 qi) + ^d{pip 2 + ppp 3 + p 2 p 3 ) + (q± + q 2 + q 3 ))+ 

(ki + k 2 — 1), 

bo = k ■ ( 2 d(pip 2 q 3 + p\p 3 q 2 + p 2 p 3 qi) + {d - a)(pip 2 + pip 3 + p 2 p 3 )+ 

(9192 + 9193 + 9293)) - 1 ) + bi(h + k 2 - 1) + (ki + k 2 - kik 2 ), 

k = ( d(pip 2 + p x p 3 + p 2 p 3 ) + l)^ 1 . 

Computing 4> 1, </> 2 , and cj ) 3 takes 2S+34M+2I in F^s. Computing a±, a 2 , 61, bo with the formu¬ 
las above requires 45M+1I in F g 5. So point compression for n = 5 takes a total of 2S+79M+3I 
in Fq5. The method of m for elliptic curves in short Weierstrass form is less expensive, as 
it takes 3S+18M+3I in F ? s. 

Point Decompression. Let (01,02,03,04,6) £ F(J x F 2 and let P = (u,v) £ T 5 such 
that 7Z(P) = (01,02,03,04,6). In order to decompress 7Z(P), we look for the roots of 

Qp{y) = Qsy 5 + Q42/ 4 + Q32/ 3 + Q22/ 2 + Qiy + Qo, 


where 

Qo 

= aa\ — o| 


Qi 

= aa\ + 2aoio 2 + a| — 20304 


Q2 

= — da\ + 2aoia 2 + aa^ + 20304 — 2036 — o| 


Q3 

= —da\ — 2 da\a 2 + aa\ + 2 a 3 b + a| — 2046 


Qa 

= — 2daio 2 — do| + 2046 — 6. 


Qb 

= —da| + 6. 


This amounts to solving the system 


ei(y,y q , ■ ■ ■ 

►Q 

II 

-Q^Qa 

e2 (y,y q , ■ ■ • 

,y q ) = 

Q5 l Q 3 

e 3 (y,y q , ■ ■ • 

,y qA ) = 

-Q 3 l Q2 

e 4 (y,y q , ■ • • 

II 

Q 3 1 Qi 

, e 5 (y,y 9 ,... 

,y q ) = 

-Q^Qo 
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where ej(y, y q ,..., y q 4 ) is the i-th elementary symmetric polynomial in y, y q ,..., y qA . Com¬ 
puting the constants in the system takes 4S+7M+1I in ¥ q , while solving the system requires 
0(log 2 q) operations in ¥ q following the approach from [12]. Finally, recovering u from v takes 
1S+5M+17 in ¥ q 5. The computational cost of point decompression is comparable to that of 
the decompression algorithm from m for elliptic curves in short Weierstrass form. 

In order to estimate of the average time of compression and decompression for groups of 
different bit-size, we consider primes qi, , and q% such that 3 |qi — 1 for all i, of bit-length 
96, 112, and 128, respectively. For each qi, we consider five pairs of birationally equivalent 
curves (E, E a ^) defined over ¥ qi , such that the order of 75 is prime of bit-length respectively 
192, 224 and 256. On each pair of curves we randomly choose 20 , 000 pairs of points ( P', P ) of 
trace zero which correspond to each other via the birational isomorphism between the curves. 
For each pair of points, we compute 1Z'(P'),TZ(P),TZ'~ 1 (JZ'(P 1 )) ,77. _1 (TZ(P )). For each com¬ 
putation, we consider the average time in milliseconds for each curve, and then the averages 
over the five curves. The average computation times are reported in the table below. 

Table 7. 


Bit-length of 751 

192 

224 

256 

Compression on E 

1.566 

1.725 

1.894 

Compression on E ay d 

1.704 

1.868 

2.052 

Decompression on E 

6.10 

31.69 

36.99 

Decompression on E a ^ 

6.15 

31.37 

36.59 


The next table contains the ratios of the average times for point compression and decom¬ 
pression on elliptic curves in short Weierstrass form and twisted Edwards curves. 

Table 8. 


Bit-length of 75 

192 

224 

256 

Comp on E / Comp on E 0 l j 

0.919 

0.923 

0.923 

Dec on E / Dec on E a ^ 

0.992 

1.010 

1.011 
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Finally, Table 9 summarizes the number of operations for point compression and decom¬ 
pression. We compare the operation count from this paper with the one for elliptic curves in 
short Weierstrass form from (T2]J • 

Table 9. 


Compression, n = 3, elliptic 

2S+6M+1I in F g 

Compression, n = 3, Edwards 

1M+1I in F a 3 and 2S+6M+1I in F g 

Decompression, n = 3, elliptic 

1M in F 9 3, 5S+4M+1I, one square root, two cube roots in ¥ q 

Decompression, n = 3, Edwards 

2M + 11 in W q 3, 5S+6M+2I, one square root, two cube roots in ¥ q 

Compression, n = 5, elliptic 

3S+18M+3I in F 0 s 

Compression, n = 5, Edwards 

2S+79M+3I in F qS 

Decompression, n = 5, elliptic 

0(log 2 q) operations in F 9 , 1S+3M+1I in F Q 5 

Decompression, n = 5, Edwards 

0(fog 2 q) operations in ¥ q , 1S+5M+1I in F Q 5 
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